Remove SchnorrProof in favor of CanonicalLinearRelation (#72)

Author: nategraf

src/composition.rs

@@ -1,6 +1,6 @@
 //! # Protocol Composition with AND/OR Logic
 //!
-//! This module defines the [`ComposedRelation`] enum, which generalizes the [`SchnorrProof`]
+//! This module defines the [`ComposedRelation`] enum, which generalizes the [`CanonicalLinearRelation`]
 //! by enabling compositional logic between multiple proof instances.
 //!
 //! Specifically, it supports:
@@ -30,51 +30,50 @@ use crate::{
     codec::Shake128DuplexSponge,
     errors::Error,
     fiat_shamir::Nizk,
-    linear_relation::LinearRelation,
-    schnorr_protocol::SchnorrProof,
+    linear_relation::{CanonicalLinearRelation, LinearRelation},
     serialization::{deserialize_scalars, serialize_scalars},
     traits::{SigmaProtocol, SigmaProtocolSimulator},
 };
 
-/// A protocol proving knowledge of a witness for a composition of SchnorrProof's.
+/// A protocol proving knowledge of a witness for a composition of linear relations.
 ///
-/// This implementation generalizes [`SchnorrProof`] by using AND/OR links.
+/// This implementation generalizes [`CanonicalLinearRelation`] by using AND/OR links.
 ///
 /// # Type Parameters
 /// - `G`: A cryptographic group implementing [`group::Group`] and [`group::GroupEncoding`].
 #[derive(Clone)]
 pub enum ComposedRelation<G: PrimeGroup> {
-    Simple(SchnorrProof<G>),
+    Simple(CanonicalLinearRelation<G>),
     And(Vec<ComposedRelation<G>>),
     Or(Vec<ComposedRelation<G>>),
 }
 
-impl<G: PrimeGroup> From<SchnorrProof<G>> for ComposedRelation<G> {
-    fn from(value: SchnorrProof<G>) -> Self {
+impl<G: PrimeGroup> From<CanonicalLinearRelation<G>> for ComposedRelation<G> {
+    fn from(value: CanonicalLinearRelation<G>) -> Self {
         ComposedRelation::Simple(value)
     }
 }
 
 impl<G: PrimeGroup> From<LinearRelation<G>> for ComposedRelation<G> {
     fn from(value: LinearRelation<G>) -> Self {
         Self::Simple(
-            SchnorrProof::try_from(value)
-                .expect("Failed to convert LinearRelation to SchnorrProof"),
+            CanonicalLinearRelation::try_from(value)
+                .expect("Failed to convert LinearRelation to CanonicalLinearRelation"),
         )
     }
 }
 
 // Structure representing the Commitment type of Protocol as SigmaProtocol
 #[derive(Clone)]
 pub enum ComposedCommitment<G: PrimeGroup> {
-    Simple(<SchnorrProof<G> as SigmaProtocol>::Commitment),
+    Simple(<CanonicalLinearRelation<G> as SigmaProtocol>::Commitment),
     And(Vec<ComposedCommitment<G>>),
     Or(Vec<ComposedCommitment<G>>),
 }
 
 // Structure representing the ProverState type of Protocol as SigmaProtocol
 pub enum ComposedProverState<G: PrimeGroup + ConstantTimeEq> {
-    Simple(<SchnorrProof<G> as SigmaProtocol>::ProverState),
+    Simple(<CanonicalLinearRelation<G> as SigmaProtocol>::ProverState),
     And(Vec<ComposedProverState<G>>),
     Or(ComposedOrProverState<G>),
 }
@@ -90,20 +89,20 @@ pub struct ComposedOrProverStateEntry<G: PrimeGroup + ConstantTimeEq>(
 // Structure representing the Response type of Protocol as SigmaProtocol
 #[derive(Clone)]
 pub enum ComposedResponse<G: PrimeGroup> {
-    Simple(<SchnorrProof<G> as SigmaProtocol>::Response),
+    Simple(<CanonicalLinearRelation<G> as SigmaProtocol>::Response),
     And(Vec<ComposedResponse<G>>),
     Or(Vec<ComposedChallenge<G>>, Vec<ComposedResponse<G>>),
 }
 
 // Structure representing the Witness type of Protocol as SigmaProtocol
 #[derive(Clone)]
 pub enum ComposedWitness<G: PrimeGroup> {
-    Simple(<SchnorrProof<G> as SigmaProtocol>::Witness),
+    Simple(<CanonicalLinearRelation<G> as SigmaProtocol>::Witness),
     And(Vec<ComposedWitness<G>>),
     Or(Vec<ComposedWitness<G>>),
 }
 
-type ComposedChallenge<G> = <SchnorrProof<G> as SigmaProtocol>::Challenge;
+type ComposedChallenge<G> = <CanonicalLinearRelation<G> as SigmaProtocol>::Challenge;
 
 const fn composed_challenge_size<G: PrimeGroup>() -> usize {
     (G::Scalar::NUM_BITS as usize).div_ceil(8)
@@ -113,7 +112,7 @@ impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
     fn is_witness_valid(&self, witness: &ComposedWitness<G>) -> Choice {
         match (self, witness) {
             (ComposedRelation::Simple(instance), ComposedWitness::Simple(witness)) => {
-                instance.0.is_witness_valid(witness)
+                instance.is_witness_valid(witness)
             }
             (ComposedRelation::And(instances), ComposedWitness::And(witnesses)) => instances
                 .iter()
@@ -132,8 +131,8 @@ impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
     }
 
     fn prover_commit_simple(
-        protocol: &SchnorrProof<G>,
-        witness: &<SchnorrProof<G> as SigmaProtocol>::Witness,
+        protocol: &CanonicalLinearRelation<G>,
+        witness: &<CanonicalLinearRelation<G> as SigmaProtocol>::Witness,
         rng: &mut (impl rand::Rng + rand::CryptoRng),
     ) -> Result<(ComposedCommitment<G>, ComposedProverState<G>), Error> {
         protocol.prover_commit(witness, rng).map(|(c, s)| {
@@ -145,9 +144,9 @@ impl<G: PrimeGroup + ConstantTimeEq> ComposedRelation<G> {
     }
 
     fn prover_response_simple(
-        instance: &SchnorrProof<G>,
-        state: <SchnorrProof<G> as SigmaProtocol>::ProverState,
-        challenge: &<SchnorrProof<G> as SigmaProtocol>::Challenge,
+        instance: &CanonicalLinearRelation<G>,
+        state: <CanonicalLinearRelation<G> as SigmaProtocol>::ProverState,
+        challenge: &<CanonicalLinearRelation<G> as SigmaProtocol>::Challenge,
     ) -> Result<ComposedResponse<G>, Error> {
         instance
             .prover_response(state, challenge)

src/linear_relation/canonical.rs

@@ -50,6 +50,14 @@ impl<G: PrimeGroup> CanonicalLinearRelation<G> {
     }
 
     /// Evaluate the canonical linear relation with the provided scalars
+    ///
+    /// This returns a list of image points produced by evaluating each linear combination in the
+    /// relation. The order of the returned list matches the order of [`Self::linear_combinations`].
+    ///
+    /// # Panic
+    ///
+    /// Panics if the number of scalars given is less than the number of scalar variables in this
+    /// linear relation
     pub fn evaluate(&self, scalars: &[G::Scalar]) -> Vec<G> {
         self.linear_combinations
             .iter()
@@ -376,6 +384,14 @@ impl<G: PrimeGroup> CanonicalLinearRelation<G> {
     }
 }
 
+impl<G: PrimeGroup> TryFrom<LinearRelation<G>> for CanonicalLinearRelation<G> {
+    type Error = InvalidInstance;
+
+    fn try_from(value: LinearRelation<G>) -> Result<Self, Self::Error> {
+        Self::try_from(&value)
+    }
+}
+
 impl<G: PrimeGroup> TryFrom<&LinearRelation<G>> for CanonicalLinearRelation<G> {
     type Error = InvalidInstance;
 

src/linear_relation/mod.rs

@@ -16,7 +16,6 @@ use group::prime::PrimeGroup;
 
 use crate::codec::Shake128DuplexSponge;
 use crate::errors::{Error, InvalidInstance};
-use crate::schnorr_protocol::SchnorrProof;
 use crate::Nizk;
 
 /// Implementations of conversion operations such as From and FromIterator for var and term types.
@@ -539,7 +538,7 @@ impl<G: PrimeGroup> LinearRelation<G> {
     pub fn into_nizk(
         self,
         session_identifier: &[u8],
-    ) -> Result<Nizk<SchnorrProof<G>, Shake128DuplexSponge<G>>, InvalidInstance> {
+    ) -> Result<Nizk<CanonicalLinearRelation<G>, Shake128DuplexSponge<G>>, InvalidInstance> {
         Ok(Nizk::new(session_identifier, self.try_into()?))
     }
 }

src/schnorr_protocol.rs

@@ -4,8 +4,8 @@
 //! a Sigma protocol proving different types of discrete logarithm relations (eg. Schnorr, Pedersen's commitments)
 //! through a group morphism abstraction (see [Maurer09](https://crypto-test.ethz.ch/publications/files/Maurer09.pdf)).
 
-use crate::errors::{Error, InvalidInstance};
-use crate::linear_relation::{CanonicalLinearRelation, LinearRelation};
+use crate::errors::Error;
+use crate::linear_relation::CanonicalLinearRelation;
 use crate::{
     serialization::{
         deserialize_elements, deserialize_scalars, serialize_elements, serialize_scalars,
@@ -17,70 +17,9 @@ use ff::Field;
 use group::prime::PrimeGroup;
 use rand::{CryptoRng, Rng, RngCore};
 
-/// A Schnorr protocol proving knowledge of a witness for a linear group relation.
-///
-/// This implementation generalizes Schnorr’s discrete logarithm proof by using
-/// a [`LinearRelation`], representing an abstract linear relation over the group.
-///
-/// # Type Parameters
-/// - `G`: A [`PrimeGroup`] instance.
-#[derive(Clone, Default, Debug)]
-pub struct SchnorrProof<G: PrimeGroup>(pub CanonicalLinearRelation<G>);
-
-pub struct ProverState<G: PrimeGroup>(Vec<G::Scalar>, Vec<G::Scalar>);
-
-impl<G: PrimeGroup> SchnorrProof<G> {
-    pub fn witness_length(&self) -> usize {
-        self.0.num_scalars
-    }
-
-    pub fn commitment_length(&self) -> usize {
-        self.0.linear_combinations.len()
-    }
-
-    /// Internal method to commit using provided nonces (for deterministic testing)
-    pub fn commit_with_nonces(
-        &self,
-        witness: &[G::Scalar],
-        nonces: &[G::Scalar],
-    ) -> Result<(Vec<G>, ProverState<G>), Error> {
-        if witness.len() != self.witness_length() {
-            return Err(Error::InvalidInstanceWitnessPair);
-        }
-        if nonces.len() != self.witness_length() {
-            return Err(Error::InvalidInstanceWitnessPair);
-        }
-
-        // If the image is the identity, then the relation must be
-        // trivial, or else the proof will be unsound
-        if self
-            .0
-            .image
-            .iter()
-            .zip(self.0.linear_combinations.iter())
-            .any(|(&x, c)| x == G::identity() && !c.is_empty())
-        {
-            return Err(Error::InvalidInstanceWitnessPair);
-        }
-
-        let commitment = self.0.evaluate(nonces);
-        let prover_state = ProverState(nonces.to_vec(), witness.to_vec());
-        Ok((commitment, prover_state))
-    }
-}
-
-impl<G: PrimeGroup> TryFrom<LinearRelation<G>> for SchnorrProof<G> {
-    type Error = InvalidInstance;
-
-    fn try_from(linear_relation: LinearRelation<G>) -> Result<Self, Self::Error> {
-        let canonical_linear_relation = CanonicalLinearRelation::try_from(&linear_relation)?;
-        Ok(Self(canonical_linear_relation))
-    }
-}
-
-impl<G: PrimeGroup> SigmaProtocol for SchnorrProof<G> {
+impl<G: PrimeGroup> SigmaProtocol for CanonicalLinearRelation<G> {
     type Commitment = Vec<G>;
-    type ProverState = ProverState<G>;
+    type ProverState = (Vec<G::Scalar>, Vec<G::Scalar>);
     type Response = Vec<G::Scalar>;
     type Witness = Vec<G::Scalar>;
     type Challenge = G::Scalar;
@@ -103,26 +42,29 @@ impl<G: PrimeGroup> SigmaProtocol for SchnorrProof<G> {
         witness: &Self::Witness,
         rng: &mut (impl RngCore + CryptoRng),
     ) -> Result<(Self::Commitment, Self::ProverState), Error> {
-        if witness.len() != self.witness_length() {
+        if witness.len() != self.num_scalars {
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
+        // TODO: Check this when constructing the CanonicalLinearRelation instead of here.
         // If the image is the identity, then the relation must be
         // trivial, or else the proof will be unsound
         if self
-            .0
             .image
             .iter()
-            .zip(self.0.linear_combinations.iter())
+            .zip(self.linear_combinations.iter())
             .any(|(&x, c)| x == G::identity() && !c.is_empty())
         {
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
-        let nonces = (0..self.witness_length())
+        let nonces = (0..self.num_scalars)
             .map(|_| G::Scalar::random(&mut *rng))
             .collect::<Vec<_>>();
-        self.commit_with_nonces(witness, &nonces)
+
+        let commitment = self.evaluate(&nonces);
+        let prover_state = (nonces.to_vec(), witness.to_vec());
+        Ok((commitment, prover_state))
     }
 
     /// Computes the prover's response (second message) using the challenge.
@@ -141,7 +83,7 @@ impl<G: PrimeGroup> SigmaProtocol for SchnorrProof<G> {
         prover_state: Self::ProverState,
         challenge: &Self::Challenge,
     ) -> Result<Self::Response, Error> {
-        let ProverState(nonces, witness) = prover_state;
+        let (nonces, witness) = prover_state;
 
         let responses = nonces
             .into_iter()
@@ -172,14 +114,14 @@ impl<G: PrimeGroup> SigmaProtocol for SchnorrProof<G> {
         challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Result<(), Error> {
-        if commitment.len() != self.commitment_length() || response.len() != self.witness_length() {
+        if commitment.len() != self.image.len() || response.len() != self.num_scalars {
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
-        let lhs = self.0.evaluate(response);
+        let lhs = self.evaluate(response);
         let mut rhs = Vec::new();
         for (i, g) in commitment.iter().enumerate() {
-            rhs.push(self.0.image[i] * challenge + g);
+            rhs.push(self.image[i] * challenge + g);
         }
         if lhs == rhs {
             Ok(())
@@ -247,7 +189,7 @@ impl<G: PrimeGroup> SigmaProtocol for SchnorrProof<G> {
     /// # Errors
     /// - Returns [`Error::VerificationFailure`] if the data is malformed or contains an invalid encoding.
     fn deserialize_commitment(&self, data: &[u8]) -> Result<Self::Commitment, Error> {
-        deserialize_elements::<G>(data, self.commitment_length()).ok_or(Error::VerificationFailure)
+        deserialize_elements::<G>(data, self.image.len()).ok_or(Error::VerificationFailure)
     }
 
     /// Deserializes a byte slice into a challenge scalar.
@@ -281,19 +223,19 @@ impl<G: PrimeGroup> SigmaProtocol for SchnorrProof<G> {
     /// # Errors
     /// - Returns [`Error::VerificationFailure`] if the byte data is malformed or the length is incorrect.
     fn deserialize_response(&self, data: &[u8]) -> Result<Self::Response, Error> {
-        deserialize_scalars::<G>(data, self.witness_length()).ok_or(Error::VerificationFailure)
+        deserialize_scalars::<G>(data, self.num_scalars).ok_or(Error::VerificationFailure)
     }
 
     fn instance_label(&self) -> impl AsRef<[u8]> {
-        self.0.label()
+        self.label()
     }
 
     fn protocol_identifier(&self) -> impl AsRef<[u8]> {
         b"draft-zkproof-fiat-shamir"
     }
 }
 
-impl<G> SigmaProtocolSimulator for SchnorrProof<G>
+impl<G> SigmaProtocolSimulator for CanonicalLinearRelation<G>
 where
     G: PrimeGroup,
 {
@@ -306,7 +248,7 @@ where
     /// # Returns
     /// - A commitment and response forming a valid proof for the given challenge.
     fn simulate_response<R: Rng + CryptoRng>(&self, rng: &mut R) -> Self::Response {
-        let response: Vec<G::Scalar> = (0..self.witness_length())
+        let response: Vec<G::Scalar> = (0..self.num_scalars)
             .map(|_| G::Scalar::random(&mut *rng))
             .collect();
         response
@@ -345,16 +287,14 @@ where
         challenge: &Self::Challenge,
         response: &Self::Response,
     ) -> Result<Self::Commitment, Error> {
-        if response.len() != self.witness_length() {
+        if response.len() != self.num_scalars {
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
-        let response_image = self.0.evaluate(response);
-        let image = &self.0.image;
-
+        let response_image = self.evaluate(response);
         let commitment = response_image
             .iter()
-            .zip(image)
+            .zip(&self.image)
             .map(|(res, img)| *res - *img * challenge)
             .collect::<Vec<_>>();
         Ok(commitment)